|
As business evolves, many plans are lagging
behind
By David Palermo
Recent research1 has
identified a growing "vulnerability gap" that could leave many organizations
at risk in the event of an IT disruption - even those businesses
that have business continuity plans in place. Most companies reported
that they would not be able to get access to mission-critical systems
in time. Newer technologies, such as e-mail and enterprise resource
planning (ERP) systems, are especially at risk, the survey found.
The reasons for this gap are many. New business conditions
are quickly changing the rules in business continuity and disaster
recovery. Companies are more reliant than ever on electronic infrastructure,
and traditional approaches may no longer be adequate to protect
them. The greatest threats facing most companies today, for example,
aren't physical disasters but electronic threats: faulty software,
overtaxed infrastructure, viruses, worms and other forms of electronic
vandalism. As conditions change, it's useful for IT managers to
take a step back from their ongoing operations and re-examine the
assumptions that are driving their business continuity planning.
Protect the business, not
just the data
The traditional model of IT disaster recovery - protecting data
and mission-critical systems in the event of a disruption to normal
business - often falls short of fully protecting a company from
business interruptions. Indeed, for many organizations, recovery
plans only partially address their ability to bounce back after
an unforeseen incident.
The roots of disaster recovery and business continuity
are in the IT department, so understandably the focus has been on
protecting the data.
But there's a fundamental fallacy to this approach.
It assumes that if the organization's data - or more broadly, its
IT infrastructure - is protected, then the company is protected.
But the company is not the infrastructure. Stop by
any business campus on a Sunday afternoon. The infrastructure is
there, but the business is closed. What's missing? The people.
A company - or a nonprofit agency, or a government
department - consists of people using the infrastructure to get
things done. To protect the organization, planning must consider
this vital connection between information and the people who need
it - in short, information availability.
What's missing from most organizations' disaster recovery
plans are specific recovery procedures to make sure employees have
access to their data as soon as they need it. In today's business
climate, with its increased reliance on technologies, the new issue
that a disaster recovery plan must confront and resolve is how quickly
will people be connected not only to their data, but also to phones,
e-mails, and a physical location from which they can do their jobs.
The proposition seems logical, yet many companies
are falling short. In a recent survey sponsored by SunGard Availability
Services, companies reported that they needed to have access to
mission-critical systems within 18 hours on average. However, these
same companies said it would take at least 24 hours - and in many
cases, far longer - to actually recover those systems.
For example, on average companies said it would take
more than two days to replace a mission-critical processor, and
close to four days to find and set up a new work facility if needed.
Despite having disaster-recovery plans in place, most companies
would suffer considerable disruptions if an adverse event did occur.
Risks from newer technologies
Another area where organizations are vulnerable is the disparity
between what their disaster recovery plan covers and what functions
are actually needed to keep the business going. Over the last decade,
this gap has widened, because companies have implemented new technology
more quickly than they have established ways to protect it. And
in this respect, the most technologically adept firms - the early
adopters of new technology, for example - are often most at risk.
For instance, while a more traditional firm may have
only a small portion of its revenue dependent on Web transactions,
an e-commerce firm that loses its server puts its entire revenue
stream - and its very survival - at risk.
There is a similar disparity between plans and reality
for a number of technologies. E-mail, for example, is the mission-critical
application that requires the greatest level of access (Figure 1).
Yet it's less likely to be included in a company's disaster plan
than applications such as inventory control and financials (Figure
2).
Over the past five years, many companies have transferred
much of their external and internal communications from phones,
fax and paper onto e-mail. Usually this transition has occurred
gradually and spontaneously. Top managers may not understand just
how dependent the organization has become on its e-mail, or the
business consequences of a disruption. As a result, protection of
this vital asset often lags behind.
Another emerging vulnerability is ERP systems. Because
ERP is designed to connect and coordinate data across the organization,
a failure at one point can cripple the entire enterprise. Yet the
survey found that more than a third of companies with ERP systems
don't address them at all in their disaster planning (Figure 2).
Emerging areas of vulnerability
If an IT department today were going to develop its business recovery
plan from a clean slate, it would have to take into account new
sources of information that either were not widely available ten
years ago, or that had little impact on the company. A key question
to consider when evaluating existing plans is: "Where does the information
that drives our business reside?"
For many companies, the answer would be, "Everywhere."
It may be 30,000 feet in the air, in the CEO's laptop as he drafts
a new strategic plan on a homebound flight. In the PDA of a top
salesperson, who, at this moment, is updating contact information
about important customers and prospects. In a customer service center
three states away, where people you've never met talk to your customers
and track their online orders. And in hundreds, or thousands, or
millions of customers' computers, storing the cookies that allow
your website to recognize them and engage them one-on-one with a
web experience tailored just for them.
Compare this IT reality to the old days of the glass
house, where all of an organization's mission-critical data was
stored on a mainframe in a chilly room where only IT people ventured.
A business recovery plan back then was inward looking, and aimed
at maintaining the integrity of mainframes and the data being stored
in them.
But that's no longer the case, so the challenge for
the future is to: (1) find ways to protect a staggering amount of
information, no matter where it's stored and no matter how it's
used; and (2) find ways to make sure people can stay connected to
their data, no matter what the disruption. Without addressing -
and linking - those two elements, a plan may fall far short of its
goals in protecting business continuity.
False security
Business recovery plans are typically developed - and tested - when
all systems are operating smoothly and there is no sense of urgency.
But a successful test may actually create a false sense of security.
Just because the plan meets its objectives under test conditions
doesn't mean it will protect the business in the event of an actual
crisis.
Business continuity plans must undergo regular reality
checks to be sure the assumptions underlying them are realistic.
This effort is complicated by the fact that business conditions
are always changing, and in ways that tend to raise the bar for
business continuity planning. The reason: Companies are quick to
embrace more technology and reap the benefits of greater efficiency
and cost savings, but investments to protect this technology tend
to lag behind.
There are many reasons why companies defer these investments.
The cost of preparedness can be significant, while the benefits
are mostly invisible unless or until a disruption occurs. Current
operational needs tend to be the squeaky wheel and take precedence
over planning for information availability. Also, senior management
is often not aware of the vulnerabilities, does not fully understand
how new technologies are contributing to the bottom line, and underestimates
the financial consequences if information availability is compromised.
They may suspect that IT requests for funds and personnel are symptomatic
of mission creep and not truly necessary to protect the business.
The bottom line
These new vulnerabilities suggest that many organizations need to
consider a broader approach to their business continuity efforts.
The stakes are considerable, for IT managers, top management and
other stakeholders.
Directors and stockholders, for example, are likely
to ask much tougher questions than ever before about hidden liabilities,
including the company's ability to survive significant business
disruptions. Management has a responsibility to protect the business
against foreseeable risks, or at least to inform stakeholders of
known risks. They are being held accountable not only for delivering
profits, but for their stewardship of the entire enterprise.
Stockholders and lenders have learned that fast growth
and high returns don't mean much unless the business is fundamentally
sound. Excessive risk may contribute to difficulties in securing
both capital and financing from skittish financial markets, and
a company that stumbles in its recovery efforts may irretrievably
lose the confidence of its shareholders, customers and employees.
The consequences of being unprepared can be extreme.
The entire enterprise can be at risk if it faces a crisis and finds
its plans inadequate.
About the Author
David Palermo is Vice President of Marketing
at SunGard Availability Services, where he is responsible for leading
the marketing strategy, research, and communications departments.
Prior to his current position, Dave was the Director of Marketing
for SunGard, where he was instrumental in defining the concept of
Information Availability. Palermo is a 17-year marketing veteran
with experience in sales, product marketing, marketing communications
and strategic planning in the consumer products and high tech industries.
Before joining SunGard, Dave held marketing management positions
at Duracell, Okidata and Compaq. He is an active member of the American
Marketing Association and a Trustee for the Downingtown Educational
Foundation. He holds a BBA from Kent State University and an MBA
from Eastern Michigan University. Dave can be reached at (484) 582-2442
or david.palermo@sungard.com
1Research
sponsored by SunGard Availability Services and conducted by the
independent research firm David Michaelson & Company.
|
